Companies should be taking advantage of the Epsilon data breach and other similar incidents to train their employees to recognize what a data breach looks like.
With a number of
high-profile data breaches dominating headlines recently, especially the latest
one from email marketing company Epsilon, smaller companies may be wondering
what they can do to ensure how they can survive a similar attack. The answer
seems to be training employees to recognize targeted attacks using these "real-world"
Epsilon, a large email
marketing services company with a roster of A-list clients, disclosed April 1
that attackers had stolen customer
data belonging to several of its clients
. While the extent of the breach is
still under investigation, the initial list of affected companies includes
several financial organizations, major hotel chains and big retailers. The
company warned that thieves might use the information to launch a phishing
campaign to trick users out of more sensitive personal data.
regardless of size or industry, should be taking advantage of the Epsilon
breach as a learning opportunity. There will be a "plethora of phishing samples
for training people," Randy Abrams, director of technical education at ESET,
While many people will learn
about phishing the hard way, this could be a "huge" educational opportunity
that would help millions more people learn to protect themselves against
phishing, he said. In the long run, the number of people affected will not be
any higher than if the breach hadn't happened, according to Abrams.
"It's just that for many
people it will happen sooner rather than later," he said.
Smaller companies need to
evaluate what information is critical to their business operations, and secure
that information accordingly, Marcus Carey, security community manager at
Rapid7, told eWEEK. They have to minimize damage, as a "determined attacker"
will get in with enough time, resources and motivation, according to Carey.
Organizations should train
their staff using recent breaches, "since they are real-world examples," Carey
said. Developing an incident response/awareness program and running practice
scenarios will also help employees to "act on instinct" and recognize the scams
for what they are, which will help organizations minimize the damage when an
attack occurs, he said.
Smaller organizations are
generally "less of a target" for this kind of theft unless they have
"high-value clients," Abrams said. However, that doesn't mean these
organizations can count on security through obscurity, as there are a "plethora
of cyber-crime attacks" that can penetrate the weaker defenses, he said.
ESET's Abrams said smaller
organizations should trust in hosted services as they generally have "higher-quality
security expertise" than they can afford to have in house. He differentiated
his recommendation from the Epsilon breach, noting that the company was a "spam
company," not a security company.
The organizations sharing
their customer data with third-party providers should be making the effort to
clearly understand the provider's security process right at the outset, Dick
Mackey, vice president of consulting at SystemExperts, told eWEEK. Companies
need to assess the level of risk of going to a third-party provider before a
breach happens, and have a "specific partner security management program in
place," Mackey said.
Abrams agreed: "There is no
perfect security. If the net result of outsourcing your security is an
improvement in security, then it is a good thing, but there is no perfect
security, only risk management," he said.
What the Epsilon breach
highlights is that no one is immune from the problem, Anup Ghosh, chief
scientist and founder of Invincea, told eWEEK.